Adversaries may attempt to evade system defenses by unloading minifilter drivers used by host-based sensors such as Sysmon through the use of the fltmc command-line utility. Accordingly, this analytic looks for command-line invocations of this utility when used to unload minifilter drivers.

ATT&CK Detections

Technique Subtechnique(s) Tactic(s) Level of Coverage
Impair Defenses Indicator Blocking Defense Evasion Low

D3FEND Techniques

ID Name
D3-PSA Process Spawn Analysis

Data Model References

Object Action Field
process create exe
process create command_line

Implementations

Pseudocode - fltmc invocation (Pseudocode, CAR native)

This is a pseudocode representation of the below splunk search.

processes = search Process:Create
fltmc_processes = filter processes where (
  exe = "fltmc.exe" AND command_line = "*unload*")
output fltmc_processes

Splunk search - fltmc invocation (Splunk, Sysmon native)

This Splunk search looks for process create events for the fltmc.exe utility and the specific command line used to unload minifilter drivers.

index=client EventCode=1 CommandLine="*unload*" (Image="C:\\Windows\\SysWOW64\\fltMC.exe" OR Image="C:\\Windows\\System32\\fltMC.exe")

LogPoint search - fltmc invocation (Logpoint, LogPoint native)

This LogPoint search looks for process create events for the fltmc.exe utility and the specific command line used to unload minifilter drivers.

norm_id=WindowsSysmon command="*unload*" (image="C:\Windows\SysWOW64\fltMC.exe" OR image="C:\Windows\System32\fltMC.exe")